Impressions
I recently bought a yubikey after attending BSides LA and meeting an individual that used one to secure his gmail accounts. $30 and about a week after ordering, I had a yubikey of my own. I keep it tethered to my new fenix flashlight (which the jury is still out on) so that I can find it easily and will remember to take it with.
Now, I’ve been concerned about the physical security of my devices for awhile. If you know my simplistic password, bingo, you’re in. With the yubikey, I was able to change that. It now takes both a token and a password to log into my computer. Plus, I’ve been intrigued by the yubikey since the Fedora Project started using it a few years ago.
Yubikey toughts its one time authentication token as its primary feature, but the yubikey has more then just that. You can choose any two of the following modes:
- One-Time-Password
- Challenge-Response
- Static Password (32 character limit which saddens me)
- O-auth
Challenge-Response Auth Tokenization
When I plan things, I always plan on my internet connection not working or being unavailable. To me, the only usuable features of the yubikey are challenge-response and static password. So, I setup challenge-response in the first slot and static password in the second. Then, I set about requiring the challenge response token to log into my account.
This post from the Vermont Linux and Unix User Group has a great guide on setting up challenge-responce on your device. I’ll summarize:
- Install
pam_yubico and yubikey-personalization-gui
- Edit
/etc/pam.d/system-auth
to include:auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey auth required pam_yubico.so mode=challenge-response
- Run the following commands after inserting your yubikey:
sudo ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible sudo groupadd yubikey sudo usermod -aG yubikey username
You should now test that everything works correctly by pressing ctrl+alt+f2 and trying to login with and without the yubikey. Do not log out of all of your sessions – if something’s broke you’re going to want to be able to fix it for sure!
Now, what I’ve implemented on my primary laptop doesn’t really secure the data, and I understand that. Sadly, I’m unable to fully encrypt my hard drive because of the triple boot with windows. If you know the harder root password, you can easily bypass my login and see the data. Or, you could boot an external USB with its own OS and view the files. When I finally purchase a new laptop next year, full hard drive encryption with a single booting OS is on the docket.
Udev Locking
Now, what if you want the screen to lock every time you remove your yubikey? You can try to do that with udev. Udev is the monitor system on linux that reacts when devices are plugged into a computer. The Vermont LUUG page has some guides on how to make it work, but here’s what worked on my system (mostly).
- `su -c "yum install -y slock"
touch /etc/udev/rules.d/98-yubikey-rules.rules
. If you do not end the file in .rules, then udev will ignore the file.- Add the following text to that file:
SUBSYSTEM=="usb", ACTION=="remove", ENV{ID_MODEL}=="Yubico_Yubikey_II", RUN+="/usr/local/bin/ykgone"
touch /usr/local/bin/ykgone
- Add the following to that file:
if [ -z "$(lsusb | grep Yubikey)" ] ; then /bin/su USERNAME
to be your username. touch /usr/local/bin/lock
- Add the following to that file:
DISPLAY=:0 slock
chmod +x /usr/local/bin/lock && chmod +x /usr/local/bin/ykgone
Debug
While there is plenty of other posts and ways on how to get a system to lock when the yubikey is pulled, there’s very few on how to debug the udev system. The command that I found the most helpful was udevadm test --action="remove" /devices/pci0000:00/0000:00:1d.1/usb3/3-1
which tested what would have if I removed something. That helped me figure that without my udev rules ending in .rules
it wouldn’t be used. You’ll need to change that device address to where ever you are mounting your yubikey. udev monitor
will spit the device address whenever you remove or insert your yubikey.
Mostly
I said mostly, because for whatever reason I couldn’t get my system to lock properly with anything other then slock. Also, slock doesn’t require my yubikey to unlock the system. There’s no selinux denials that I can see, and I’ve stepped through as well as I can.
At this point, I’ve decided that I’m better to remember to grab my yubikey and press ctrl+alt+l to lock the system – at least then it requires proper two-factor auth to get back into my compuer.
Ending Thoughts
The yubikey works fairly well. I’ll be able to use it as a challenge response key for full hard drive encryption in the future. I’m not thrilled that the static password can only be 32 characters long. It should be 64-128 long, or more. It’d also be nice if the company could add a third programmable slot so that you could still maintain the OTP functionality without loosing the ability to use 2 very good offline usable authentication methods. But at $30 it may be to much to ask.
Should you buy it? If you want that extra auth token on your computer? Yes. What if you want to experiment with second-factor authentication? Sure. At $30 shipped, its a reasonable start. But if you’re passive about authentication the yubikey just doesn’t make sense.
[…] Personal Blog Post Two-Facto Log In […]